Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]
FreeBSD/Linux Kernel Cross Reference
sys/netpfil/ipfilter/netinet/ip_state.h
Version:
- FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10
SearchContext: - none - 3 - 10
1 /* $FreeBSD$ */ 2 3 /* 4 * Copyright (C) 2012 by Darren Reed. 5 * 6 * See the IPFILTER.LICENCE file for details on licencing. 7 * 8 * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed 9 * $FreeBSD$ 10 * Id: ip_state.h,v 2.68.2.10 2007/10/16 09:33:24 darrenr Exp $ 11 */ 12 #ifndef __IP_STATE_H__ 13 #define __IP_STATE_H__ 14 15 # define SIOCDELST _IOW('r', 61, struct ipfobj) 16 17 struct ipscan; 18 19 #ifndef IPSTATE_SIZE 20 # define IPSTATE_SIZE 5737 21 #endif 22 #ifndef IPSTATE_MAX 23 # define IPSTATE_MAX 4013 /* Maximum number of states held */ 24 #endif 25 26 #define PAIRS(s1,d1,s2,d2) ((((s1) == (s2)) && ((d1) == (d2))) ||\ 27 (((s1) == (d2)) && ((d1) == (s2)))) 28 #define IPPAIR(s1,d1,s2,d2) PAIRS((s1).s_addr, (d1).s_addr, \ 29 (s2).s_addr, (d2).s_addr) 30 31 32 typedef struct ipstate { 33 ipfmutex_t is_lock; 34 struct ipstate *is_next; 35 struct ipstate **is_pnext; 36 struct ipstate *is_hnext; 37 struct ipstate **is_phnext; 38 struct ipstate **is_me; 39 void *is_ifp[4]; 40 void *is_sync; 41 frentry_t *is_rule; 42 struct ipftq *is_tqehead[2]; 43 struct ipscan *is_isc; 44 U_QUAD_T is_pkts[4]; 45 U_QUAD_T is_bytes[4]; 46 U_QUAD_T is_icmppkts[4]; 47 struct ipftqent is_sti; 48 u_int is_frage[2]; 49 int is_ref; /* reference count */ 50 int is_isninc[2]; 51 u_short is_sumd[2]; 52 i6addr_t is_src; 53 i6addr_t is_dst; 54 u_int is_pass; 55 u_char is_p; /* Protocol */ 56 u_char is_v; 57 int is_family; 58 u_32_t is_hv; 59 u_32_t is_tag; 60 u_32_t is_opt[2]; /* packet options set */ 61 u_32_t is_optmsk[2]; /* " " mask */ 62 u_short is_sec; /* security options set */ 63 u_short is_secmsk; /* " " mask */ 64 u_short is_auth; /* authentication options set */ 65 u_short is_authmsk; /* " " mask */ 66 union { 67 icmpinfo_t is_ics; 68 tcpinfo_t is_ts; 69 udpinfo_t is_us; 70 greinfo_t is_ug; 71 } is_ps; 72 u_32_t is_flags; 73 int is_flx[2][2]; 74 u_32_t is_rulen; /* rule number when created */ 75 u_32_t is_s0[2]; 76 u_short is_smsk[2]; 77 frdest_t is_dif; 78 frdest_t is_tifs[2]; 79 char is_group[FR_GROUPLEN]; 80 char is_sbuf[2][16]; 81 char is_ifname[4][LIFNAMSIZ]; 82 } ipstate_t; 83 84 #define is_die is_sti.tqe_die 85 #define is_state is_sti.tqe_state 86 #define is_touched is_sti.tqe_touched 87 #define is_saddr is_src.in4.s_addr 88 #define is_daddr is_dst.in4.s_addr 89 #define is_icmp is_ps.is_ics 90 #define is_type is_icmp.ici_type 91 #define is_tcp is_ps.is_ts 92 #define is_udp is_ps.is_us 93 #define is_send is_tcp.ts_data[0].td_end 94 #define is_dend is_tcp.ts_data[1].td_end 95 #define is_maxswin is_tcp.ts_data[0].td_maxwin 96 #define is_maxdwin is_tcp.ts_data[1].td_maxwin 97 #define is_maxsend is_tcp.ts_data[0].td_maxend 98 #define is_maxdend is_tcp.ts_data[1].td_maxend 99 #define is_swinscale is_tcp.ts_data[0].td_winscale 100 #define is_dwinscale is_tcp.ts_data[1].td_winscale 101 #define is_swinflags is_tcp.ts_data[0].td_winflags 102 #define is_dwinflags is_tcp.ts_data[1].td_winflags 103 #define is_sport is_tcp.ts_sport 104 #define is_dport is_tcp.ts_dport 105 #define is_ifpin is_ifp[0] 106 #define is_ifpout is_ifp[2] 107 #define is_gre is_ps.is_ug 108 #define is_call is_gre.gs_call 109 110 #define IS_WSPORT SI_W_SPORT /* 0x00100 */ 111 #define IS_WDPORT SI_W_DPORT /* 0x00200 */ 112 #define IS_WSADDR SI_W_SADDR /* 0x00400 */ 113 #define IS_WDADDR SI_W_DADDR /* 0x00800 */ 114 #define IS_NEWFR SI_NEWFR /* 0x01000 */ 115 #define IS_CLONE SI_CLONE /* 0x02000 */ 116 #define IS_CLONED SI_CLONED /* 0x04000 */ 117 #define IS_TCPFSM 0x10000 118 #define IS_STRICT 0x20000 119 #define IS_ISNSYN 0x40000 120 #define IS_ISNACK 0x80000 121 #define IS_STATESYNC 0x100000 122 #define IS_LOOSE 0x200000 123 /* 124 * IS_SC flags are for scan-operations that need to be recognised in state. 125 */ 126 #define IS_SC_CLIENT 0x10000000 127 #define IS_SC_SERVER 0x20000000 128 #define IS_SC_MATCHC 0x40000000 129 #define IS_SC_MATCHS 0x80000000 130 #define IS_SC_MATCHALL (IS_SC_MATCHC|IS_SC_MATCHC) 131 #define IS_SC_ALL (IS_SC_MATCHC|IS_SC_MATCHC|IS_SC_CLIENT|IS_SC_SERVER) 132 133 /* 134 * Flags that can be passed into ipf_addstate 135 */ 136 #define IS_INHERITED 0x0fffff00 137 138 #define TH_OPENING (TH_SYN|TH_ACK) 139 /* 140 * is_flags: 141 * Bits 0 - 3 are use as a mask with the current packet's bits to check for 142 * whether it is short, tcp/udp, a fragment or the presence of IP options. 143 * Bits 4 - 7 are set from the initial packet and contain what the packet 144 * anded with bits 0-3 must match. 145 * Bits 8,9 are used to indicate wildcard source/destination port matching. 146 * Bits 10,11 are reserved for other wildcard flag compatibility. 147 * Bits 12,13 are for scaning. 148 */ 149 150 typedef struct ipstate_save { 151 void *ips_next; 152 struct ipstate ips_is; 153 struct frentry ips_fr; 154 } ipstate_save_t; 155 156 #define ips_rule ips_is.is_rule 157 158 159 typedef struct ipslog { 160 U_QUAD_T isl_pkts[4]; 161 U_QUAD_T isl_bytes[4]; 162 i6addr_t isl_src; 163 i6addr_t isl_dst; 164 u_32_t isl_tag; 165 u_short isl_type; 166 union { 167 u_short isl_filler[2]; 168 u_short isl_ports[2]; 169 u_short isl_icmp; 170 } isl_ps; 171 u_char isl_v; 172 u_char isl_p; 173 u_char isl_flags; 174 u_char isl_state[2]; 175 u_32_t isl_rulen; 176 char isl_group[FR_GROUPLEN]; 177 } ipslog_t; 178 179 #define isl_sport isl_ps.isl_ports[0] 180 #define isl_dport isl_ps.isl_ports[1] 181 #define isl_itype isl_ps.isl_icmp 182 183 #define ISL_NEW 0 184 #define ISL_CLONE 1 185 #define ISL_STATECHANGE 2 186 #define ISL_EXPIRE 0xffff 187 #define ISL_FLUSH 0xfffe 188 #define ISL_REMOVE 0xfffd 189 #define ISL_INTERMEDIATE 0xfffc 190 #define ISL_KILLED 0xfffb 191 #define ISL_ORPHAN 0xfffa 192 #define ISL_UNLOAD 0xfff9 193 194 195 typedef struct ips_stat { 196 u_int iss_active; 197 u_int iss_active_proto[256]; 198 u_long iss_add_bad; 199 u_long iss_add_dup; 200 u_long iss_add_locked; 201 u_long iss_add_oow; 202 u_long iss_bucket_full; 203 u_long iss_check_bad; 204 u_long iss_check_miss; 205 u_long iss_check_nattag; 206 u_long iss_check_notag; 207 u_long iss_clone_nomem; 208 u_long iss_cloned; 209 u_long iss_expire; 210 u_long iss_fin; 211 u_long iss_flush_all; 212 u_long iss_flush_closing; 213 u_long iss_flush_queue; 214 u_long iss_flush_state; 215 u_long iss_flush_timeout; 216 u_long iss_hits; 217 u_long iss_icmp6_icmperr; 218 u_long iss_icmp6_miss; 219 u_long iss_icmp6_notinfo; 220 u_long iss_icmp6_notquery; 221 u_long iss_icmp_bad; 222 u_long iss_icmp_banned; 223 u_long iss_icmp_headblock; 224 u_long iss_icmp_hits; 225 u_long iss_icmp_icmperr; 226 u_long iss_icmp_miss; 227 u_long iss_icmp_notquery; 228 u_long iss_icmp_short; 229 u_long iss_icmp_toomany; 230 u_int iss_inuse; 231 ipstate_t *iss_list; 232 u_long iss_log_fail; 233 u_long iss_log_ok; 234 u_long iss_lookup_badifp; 235 u_long iss_lookup_badport; 236 u_long iss_lookup_miss; 237 u_long iss_max; 238 u_long iss_max_ref; 239 u_long iss_max_track; 240 u_long iss_miss_mask; 241 u_long iss_nomem; 242 u_long iss_oow; 243 u_long iss_orphan; 244 u_long iss_proto[256]; 245 u_long iss_scan_block; 246 u_long iss_state_max; 247 u_long iss_state_size; 248 u_long iss_states[IPF_TCP_NSTATES]; 249 ipstate_t **iss_table; 250 u_long iss_tcp_closing; 251 u_long iss_tcp_oow; 252 u_long iss_tcp_rstadd; 253 u_long iss_tcp_toosmall; 254 u_long iss_tcp_badopt; 255 u_long iss_tcp_fsm; 256 u_long iss_tcp_strict; 257 ipftq_t *iss_tcptab; 258 u_int iss_ticks; 259 u_long iss_wild; 260 u_long iss_winsack; 261 u_int *iss_bucketlen; 262 } ips_stat_t; 263 264 265 typedef struct ipf_state_softc_s { 266 ipfmutex_t ipf_stinsert; 267 int ipf_state_logging; 268 int ipf_state_lock; 269 int ipf_state_doflush; 270 u_int ipf_state_inited; 271 u_int ipf_state_max; 272 u_int ipf_state_maxbucket; 273 u_int ipf_state_size; 274 u_int ipf_state_wm_freq; 275 u_int ipf_state_wm_high; 276 u_int ipf_state_wm_low; 277 u_int ipf_state_wm_last; 278 u_long *ipf_state_seed; 279 ipstate_t *ipf_state_list; 280 ipstate_t **ipf_state_table; 281 ipftuneable_t *ipf_state_tune; 282 ipftq_t *ipf_state_usertq; 283 ipftq_t ipf_state_pending; 284 ipftq_t ipf_state_deletetq; 285 ipftq_t ipf_state_udptq; 286 ipftq_t ipf_state_udpacktq; 287 ipftq_t ipf_state_iptq; 288 ipftq_t ipf_state_icmptq; 289 ipftq_t ipf_state_icmpacktq; 290 ipftq_t ipf_state_tcptq[IPF_TCP_NSTATES]; 291 ips_stat_t ipf_state_stats; 292 } ipf_state_softc_t; 293 294 295 #ifndef _KERNEL 296 extern void ipf_state_dump(ipf_main_softc_t *, void *); 297 #endif 298 extern int ipf_tcp_age(struct ipftqent *, struct fr_info *, 299 struct ipftq *, int, int); 300 extern int ipf_tcpinwindow(struct fr_info *, struct tcpdata *, 301 struct tcpdata *, tcphdr_t *, int); 302 303 extern int ipf_state_add(ipf_main_softc_t *, fr_info_t *, 304 ipstate_t **, u_int); 305 extern frentry_t *ipf_state_check(struct fr_info *, u_32_t *); 306 extern void ipf_state_deref(ipf_main_softc_t *, ipstate_t **); 307 extern void ipf_state_expire(ipf_main_softc_t *); 308 extern int ipf_state_flush(ipf_main_softc_t *, int, int); 309 extern ipstate_t *ipf_state_lookup(fr_info_t *, tcphdr_t *, ipftq_t **); 310 extern int ipf_state_init(void); 311 extern int ipf_state_insert(ipf_main_softc_t *, struct ipstate *, int); 312 extern int ipf_state_ioctl(ipf_main_softc_t *, caddr_t, ioctlcmd_t, int, int, void *); 313 extern void ipf_state_log(ipf_main_softc_t *, struct ipstate *, u_int); 314 extern int ipf_state_matchflush(ipf_main_softc_t *, caddr_t); 315 extern int ipf_state_rehash(ipf_main_softc_t *, ipftuneable_t *, ipftuneval_t *); 316 extern void ipf_state_setqueue(ipf_main_softc_t *, ipstate_t *, int); 317 extern void ipf_state_setpending(ipf_main_softc_t *, ipstate_t *); 318 extern int ipf_state_settimeout(struct ipf_main_softc_s *, ipftuneable_t *, ipftuneval_t *); 319 extern void ipf_state_sync(ipf_main_softc_t *, void *); 320 extern void ipf_state_update(fr_info_t *, ipstate_t *); 321 322 extern void ipf_sttab_init(ipf_main_softc_t *, struct ipftq *); 323 extern void ipf_sttab_destroy(struct ipftq *); 324 extern void ipf_state_setlock(void *, int); 325 extern int ipf_state_main_load(void); 326 extern int ipf_state_main_unload(void); 327 extern void *ipf_state_soft_create(ipf_main_softc_t *); 328 extern void ipf_state_soft_destroy(ipf_main_softc_t *, void *); 329 extern int ipf_state_soft_init(ipf_main_softc_t *, void *); 330 extern int ipf_state_soft_fini(ipf_main_softc_t *, void *); 331 extern ipftq_t *ipf_state_add_tq(ipf_main_softc_t *, int); 332 333 #endif /* __IP_STATE_H__ */
Cache object: abaa6af0c1844b80aad3caff1e833101
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]